Main Nav

We looked long and hard at pfSense to use as a NATing gateway, but as good as the product is, it's logging features are (were?) pretty awful. I can't speak to what it logs as a router, but if this is important to you, you may want to verify it meets your needs. -Brian H.

Comments

On Wed, Mar 06, 2013 at 02:05:33PM +0000, Brian Helman wrote: > We looked long and hard at pfSense to use as a NATing gateway, but as > good as the product is, it's logging features are (were?) pretty > awful. I can't speak to what it logs as a router, but if this is > important to you, you may want to verify it meets your needs. This was part of why we went vanilla FreeBSD instead of pfSense. OpenBSD's tcpdump has out-of-the-box support for the pfSync device (additions, subtractions and modifications to the firewall tables to share state between multiple firewalls). The original author of pf, Daniel Hartmeier, has a patch for the tcpdump in FreeBSD 8.x that adds pfsync support. That makes it trivial to run something like tcpdump -i pfsync0 'ether[2]!=2' >> /tmp/nat_logs 2>&1 & Every hour we parse the log (go go perl) for inserts and removals. THAT script has been written, rewritten and edited heavily to reduce run-time and to take advantage of cheap storage but expensive CPU cycles. If we have to replace one I do a vanilla install, grab my handy dandy deploy script and it copies any necessary scripts or patches, patches tcpdump, sets the config for pf, etc. Overall time to replace one of our NAT firewalls, once it's actually racked, is under half an hour -- and that includes the five to ten minutes to do the OS installation. kmw ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
We use the pfflowd package for pfSense to provide logging. We send the data to an installation of NFSEN (nfsen.sourceforge.net) to view and graph the flow data. My understanding is that the pfflowd package simply translates the pfsync device's output into netflow packets and allows you to direct them to any NetFlow collector. ________________________________ Ian Bergeron Administrator of Networked Systems MCLA Computer Support Services Office:(413)662-5394 - Cell:(413)663-0957 Ian.Bergeron@mcla.edu The EDUCAUSE Network Management Constituent Group Listserv writes: >We looked long and hard at pfSense to use as a NATing gateway, but as >good as the product is, it's logging features are (were?) pretty awful. >I can't speak to what it logs as a router, but if this is important to >you, you may want to verify it meets your needs. > >-Brian H. > >
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.